[strongSwan] strongSwan 5.0.4: crash in method memwipe_inline (called by query_sa)

Zoltan Lugossy zoltan.lugossy at gmail.com
Mon May 27 17:32:39 CEST 2013 

Hi,

I experienced some crashes when using strongswan 5.0.4.
The problem seems to be pretty straightforward, and based on the code, it
could also affect update_sa.


The call trace is as follows:
...
Core was generated by `/usr/lib64/ipsec/charon --use-syslog'.
Program terminated with signal 6, Aborted.

(gdb) bt
#0  0x00007f203fb62b35 in raise () from /lib64/libc.so.6
#1  0x00007f203fb64111 in abort () from /lib64/libc.so.6
#2  0x00000000004014f6 in segv_handler (signal=<optimized out>) at
charon.c:183
#3  <signal handler called>
#4  memwipe_inline (n=<optimized out>, ptr=<optimized out>) at
utils/utils.h:411
*#5  memwipe_noinline (ptr=0x0, n=139776064641392) at utils/utils.c:109*
#6  0x00007f203878635d in memwipe (n=<optimized out>, ptr=<optimized out>)
at ../../../../src/libstrongswan/utils/utils.h:432
#7  query_sa (this=0x6394d0, src=<optimized out>, dst=0x673610,
spi=305546929, protocol=50 '2', mark=<optimized out>, bytes=0x7f2026ae5ce0,
packets=0x7f2026ae5cd8)
    at kernel_netlink_ipsec.c:1685
#8  0x00007f2040566e6b in update_usebytes (inbound=<optimized out>,
this=<optimized out>) at sa/child_sa.c:432
#9  get_usestats (this=0x66a080, inbound=true, time=0x7f2026ae5d30,
bytes=0x0, packets=0x0) at sa/child_sa.c:530
#10 0x00007f2040567e31 in get_use_time (this=<optimized out>, inbound=true)
at sa/ike_sa.c:288
#11 0x00007f204056a27d in send_dpd (this=0x66be40) at sa/ike_sa.c:594
#12 0x00007f204056466f in execute (this=<optimized out>) at
processing/jobs/send_dpd_job.c:57
#13 0x00007f20409e7fab in process_jobs (worker=0x6614a0) at
processing/processor.c:219
#14 0x00007f20409ea678 in thread_main (this=0x6614d0) at
threading/thread.c:309
#15 0x00007f20400b27b6 in start_thread () from /lib64/libpthread.so.0
#16 0x00007f203fc09c5d in clone () from /lib64/libc.so.6
#17 0x0000000000000000 in ?? ()


(gdb) bt full
#0  0x00007f203fb62b35 in raise () from /lib64/libc.so.6
No symbol table info available.
#1  0x00007f203fb64111 in abort () from /lib64/libc.so.6
No symbol table info available.
#2  0x00000000004014f6 in segv_handler (signal=<optimized out>) at
charon.c:183
        backtrace = 0x674e60
#3  <signal handler called>
No symbol table info available.
#4  memwipe_inline (n=<optimized out>, ptr=<optimized out>) at
utils/utils.h:411
        c = 0x66be40 "@\211V@ \177"
        m = 139776064641384
        i = 8
#5  memwipe_noinline (ptr=0x0, n=139776064641392) at utils/utils.c:109
No locals.
#6  0x00007f203878635d in memwipe (n=<optimized out>, ptr=<optimized out>)
at ../../../../src/libstrongswan/utils/utils.h:432
No locals.
#7  query_sa (this=0x6394d0, src=<optimized out>, dst=0x673610,
spi=305546929, protocol=50 '2', mark=<optimized out>, bytes=0x7f2026ae5ce0,
packets=0x7f2026ae5cd8)
    at kernel_netlink_ipsec.c:1685
        request =
"(\000\000\000\022\000\001\000H\002\000\000\342\063\000\000-\352\000\000\000\000\000\000\000\000\000\000\001\002\020\001\022\066F\261\n\000\062",
'\000' <repeats 984 times>
        out = 0x7f2026ae5968
        hdr = <optimized out>
        sa_id = <optimized out>
        sa = 0x8
        *status = FAILED
        len = 139776064641392*
#8  0x00007f2040566e6b in update_usebytes (inbound=<optimized out>,
this=<optimized out>) at sa/child_sa.c:432
No locals.
#9  get_usestats (this=0x66a080, inbound=true, time=0x7f2026ae5d30,
bytes=0x0, packets=0x0) at sa/child_sa.c:530
No locals.
#10 0x00007f2040567e31 in get_use_time (this=<optimized out>, inbound=true)
at sa/ike_sa.c:288
        enumerator = 0x66e550
        child_sa = 0x66a080
        use_time = 2757
        current = 0
#11 0x00007f204056a27d in send_dpd (this=0x66be40) at sa/ike_sa.c:594
        last_in = <optimized out>
        diff = <optimized out>
        delay = 30
        task_queued = false
#12 0x00007f204056466f in execute (this=<optimized out>) at
processing/jobs/send_dpd_job.c:57
        ike_sa = <optimized out>
#13 0x00007f20409e7fab in process_jobs (worker=0x6614a0) at
processing/processor.c:219
        requeue = {type = JOB_REQUEUE_TYPE_NONE, schedule = JOB_SCHEDULE,
time = {rel = 0, abs = {tv_sec = 0, tv_usec = 0}}}
        i = 1
        reserved = 2
        idle = <optimized out>
        this = 0x60a4f0
#14 0x00007f20409ea678 in thread_main (this=0x6614d0) at
threading/thread.c:309
        __cancel_buf = {__cancel_jmp_buf = {{__cancel_jmp_buf = {0,
609407318156031082, 139776490195072, 139776064643072, 140735743592080,
8388608, -705585307852557206,
                -705502153799846806}, __mask_was_saved = 0}}, __pad =
{0x7f2026ae5f70, 0x0, 0x0, 0x0}}
        not_first_call = <optimized out>
        res = <optimized out>
#15 0x00007f20400b27b6 in start_thread () from /lib64/libpthread.so.0
No symbol table info available.
#16 0x00007f203fc09c5d in clone () from /lib64/libc.so.6
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130527/cb201601/attachment.html>

More information about the Users mailing list